No Radius Live Logs on ISE

kentwirianata · ‎03-17-2024

Hello, I'm trying to configure the switch so the ISE can trust the switch. here's the topology. [ISE IP: 172.16.10.25]

I'm using this config in the switch:

aaa new-model

radius server ISE1

address ipv4 172.16.10.25 auth-port 1645 acct-port 1646

 key 0 cisco




aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update newinfo periodic 600

aaa accounting dot1x default start-stop group radius




radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server retry method reorder

radius-server timeout 3

radius-server deadtime 15




aaa group server radius ISE-GROUP

 server name ISE1




aaa server radius dynamic-author

 client 172.16.10.25 server-key cisco




interface GigabitEthernet0/0

 switchport mode access

 switchport access vlan10

 ip device tracking maximum 10

 authentication event fail action next-method

 authentication host-mode multi-domain

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication violation restrict

 mab

 dot1x pae authenticator

 dot1x timeout tx-period 7

 spanning-tree portfast

but there's no radius live logs in ISE? anyone can tell me whats wrong with it and what should change in switch config?

MHM Cisco World · ‎03-17-2024

Can I ask you something not relate to your issue but face it in my lab,
you use FTD and Win, can you access FTD FDM via Win ? what is Win you use Win7 or Win10?

can you share link to download Win10 if you use it?

and for your Q
debug radius <<- in SW check if SW is send radius request to ISE

MHM

kentwirianata · ‎03-17-2024

in this lab, I access ftd via fmc with win and im using win10 so i don't use FDM. But i do have experience in field, that i need to make FTD on routed mode. atleast thats what my co-worker told me. (I don't know if transparent mode also can work).

I would like to share the link, but unfortunatly i'm using my office virtual lab. so i don't know where to download it, they didnt told me, and i dont have the access to copy the images as well via winscp (T_T)

um..is there anything wrong with it? im really new on this.

.

MHM Cisco World · ‎03-17-2024

no debug radius

debug dot1x all <<- use this instead

MHM

MHM Cisco World · ‎03-17-2024

regarding the FTD and Win, can you check if you use FTD 7.x.x or 6.x.x?
thanks alot

MHM

kentwirianata · ‎03-17-2024

7.2

MHM Cisco World · ‎03-18-2024

thanks alot
regarding the issue of ISE

show aaa servers
debug dot1x all <<- this not share

MHM

balaji.bandi · ‎03-18-2024

what switch that configuration you provided Switch5 - high level i see only switchport access (i do not see any access vlan - is that intention ?)

check below guide for ISE Wire deployment. -

Switch Configuration for Differentiated Authentication

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--2087711541

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kentwirianata · ‎03-18-2024

Hello @balaji.bandi , I really thank you for the documantation you gave. But i have problem where in AD group section there's nothing in it when i'm choosing 'Select Groups from directory'. perhaps you know something?

Rob Ingram · ‎03-18-2024

@kentwirianata your ISE node ISETEST is not joined to the domain isedemo.lab, so therefore there will not be any groups for you to import.

Select the box next to ISETEST, then click Join. You then need to enter your AD credentials to join ISE to the domain, the account you use must have the correct permissions to add the ISE node to the domain - use the administrator account as it's a lab.

Once joined you can then import the AD groups.

balaji.bandi · ‎03-19-2024

You need to join ISE to AD - check in the document how to join ISE to AD before you get AD Groups in ISE

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kentwirianata · ‎03-18-2024

oh sorry, forgot to write it, but i do config switchport access vlan 10

Rob Ingram · ‎03-18-2024

@kentwirianata if no live logs in ISE this could be the switch is not defined in ISE as a Network Device or the source of the RADIUS request comes from a different IP address from what is defined in ISE or incorrect shared secret.

Is the switch defined as a Network Device in ISE with the correct IP address?

If the switch has multiple IP addresses have you defined the RADIUS source interface? use the command "ip radius source-interface <Iinterface>". < the IP address of that interface would be configured in ISE under the Network Device for that switch.

Check your shared secret matches on the switch and ISE.